Corporate sustainability due diligence in practice, part 1

The importance of corporate behaviour in the climate transition and to reach a sustainable development has led to increasing requirements on responsible business conduct and an ongoing shift towards more binding rules relating to sustainability. According to a proposal for a new EU directive, companies will be required to carry out due diligence regarding sustainability. The main features of the proposal have been described here. In this series of articles, Cederquist’s Corporate Sustainability specialists describe the due diligence measures to be taken according to the proposed directive and existing international standards in the area.

In this context, due diligence refers to the process that companies should undertake to identify, address, and disclose risks and adverse impacts on the environment and human rights related to their operations and value chains. In the proposed directive, the due diligence process is based on the six steps set out in the OECD Due Diligence Guidance for Responsible Business Conduct, namely that companies should: (i) embed responsible business conduct into policies and management systems, (ii) identify and assess actual and potential adverse impacts, (iii) cease, prevent or mitigate adverse impacts, (iv) track implementation and results, (v) communicate how impacts are addressed and (vi) provide for or cooperate in remediation of adverse impacts. 

Although the due diligence process is often described as a series of actions to be taken in different steps, it is not simply a static list of actions to go through. On the contrary, due diligence is characterised by the fact that it is a dynamic process, in which the different steps are carried out simultaneously, and information generated from one activity must be considered in others. In the event of changes that may affect the company’s risk profile such as new production processes, expansion into new geographical areas, or external factors such as the outbreak of a conflict where the company has parts of its value chain, the due diligence process may need to be adapted accordingly. Through feedback and assessment of what has worked and what has not, the process can also be continuously developed and improved.

An effective due diligence process is based on embedding due diligence into the company’s policies and management systems. This first step will be described in more detail below.

The proposed requirement to embed due diligence into the company’s policies

The proposed directive requires companies to embed human rights and environmental due diligence into their policies.

Companies shall establish a due diligence policy, which must be updated at least annually. Certain minimum requirements for the content of the due diligence policy are set out. To begin with, companies must describe their approach, including in the long term, to sustainability due diligence. The policy shall also contain a code of conduct describing rules and principles to be followed by the company’s employees and subsidiaries. Finally, the policy must include a description of the due diligence processes put in place, including the measures taken to verify compliance with the code of conduct and to extend its application to established business relationships. 

Companies shall also embed human rights and environmental due diligence into all other corporate policies. The wording of the proposed directive and its explanatory memorandum does not provide any further guidance on what this requirement entails in practice. As for other due diligence measures, neither is it possible to give any general answers as to what concrete measures need to be taken to comply with the requirements, since it will differ from one company to another depending on their size and organisation, as well as their risk profile based on, inter alia, industry, type of services or product and geographical factors.

Since the proposed directive is based on existing international voluntary standards from the UN and OECD, companies that already wish to start integrating human rights and environmental due diligence into their policies and management systems may seek further guidance from these, pending the adoption of a final directive and further guidance regarding its application. In the following, the main features of the measures recommended for integrating due diligence into policies and management systems in the OECD Due Diligence Guidance for Responsible Business Conduct are outlined.

Update and communicate the company’s policies on an ongoing basis

As a first step, the company’s existing policies must be reviewed to evaluate what policies the company has in place and to what extent consideration of sustainability aspects are made, in particular regarding the company’s sustainability risks. Unlike more traditional corporate risk management, the relevant risks in this context are those of adverse impact on people, the environment and society linked to the company’s operations and value chain. However, failure to identify and manage the company’s human rights and environmental risks usually also entail a significant risk for the company itself, which may be affected by financial sanctions, reputational damage, and disrupted operations.

Based on the results of the inventory, the company’s policies might need to be updated and supplemented to cover significant risks and to ensure that human rights and environmental due diligence is observed in all aspects of the business. In accordance with the proposed directive, the company should have a specific policy that stipulates its overall strategy and procedures for sustainability due diligence, as well as the code of conduct to be followed by employees and others involved in the operations of the company, its subsidiaries, and its business relations. The company may also need to establish specific policies in areas where significant risks have been identified.  

For the company’s policies to be effective, the policies need to be communicated both internally and externally in appropriate ways, such as on the company’s website, the company’s intranet and on its premises. The communication should be carried out in a way that is accessible for the intended recipients, which may require, for example, translation into local languages or adaptation of the form of communication in situations where formal policy documents are difficult to understand. The company should provide training regarding the company’s policies, e.g., periodically as part of the introduction of new employees, and also specific training targeted to those that are involved in different business processes or otherwise particularly affected in a specific area.

As mentioned above, the company’s policies need to be continuously reviewed and updated as the company’s business or external factors change. The need for improvement measures may also be identified when the company evaluates the effectiveness of its due diligence measures.

Integrate due diligence into the company’s regular business processes

The process of human rights and environmental due diligence cannot be conducted separately from the company’s other activities. On the contrary, the due diligence process affects all functions and parts of the business operations and therefore requires commitment, information sharing and collaboration through all steps. The bottom line is that sustainability considerations need to become a natural part of all business processes. In the same way that the economic impacts of different decisions and actions is assessed, the effects on people, environment and society must be considered.

Although sustainability has been established as a board topic in many companies in recent years, it is important to ensure that it remains high on the agenda. This can be achieved by ensuring that overall responsibility is appointed at board and management level, as well as by assigning a clear responsibility for different aspects of the implementation of policies and measures to relevant departments and functions.

To achieve the necessary cooperation and exchange of information within the company, appropriate communication channels are required as well as systems for managing information about the company’s due diligence processes, risks, decision making and outcomes. There may also be a need to create specific meeting forums or cross-functional working groups with representatives from different functions and parts of the organisation. As already mentioned, the knowledge and feedback gained from the due diligence process should also be considered in the company’s continuous risk assessment and improvement of its due diligence processes and measures. This requires that information is adequately managed.

Regarding the intra-corporate aspects, companies should also review the incentives to take due account of sustainability factors within the company’s organisation. The behaviour of the company’s management and the employees is often determined by how the company sets goals, measures results, and the company’s remuneration systems. It must be ensured that the company rewards behaviour that is in line with its policies, rather than the opposite.

As we will come back to in an upcoming article, the company should have a complaints procedure, through which employees can report risks or actual adverse impacts related to the company’s operations, as well as shortcomings in the internal due diligence processes. The company also needs to ensure that there are procedures in place for investigating, responding to and, where appropriate, remedying adverse impacts.

Set requirements for and engage the company’s suppliers and business relationships

The fact that the negative effects on human rights and the environment often occur further down the corporate value chains is an important reason for the increasing introduction of legislation with extensive obligations regarding due diligence in this regard. In the light hereof, the company’s actions must extend not only to its own operations and subsidiaries, but also to activities in the value chain linked to the company. The company needs to set requirements for and engage its suppliers and other business relationships in the efforts to respect human rights and the environment.  

Thus, companies need to communicate essential parts of their due diligence policies and relevant sustainability risks to their suppliers and other business relationships. However, this is not sufficient to ensure that the requirements and ambitions set by the company are met. Pre-qualification processes for suppliers and other business relationships should be developed, where specific criteria must be met by the party before a transaction takes place or a business relationship is entered into. The criteria should be adapted to the specific risks that have been identified as relevant for the business relationship and its activities or areas of operation. When an agreement is entered into, it should include requirements relating to the relevant risks, as well as a regulation of the possibilities of monitoring and the consequences of non-compliance.

Where necessary, particularly in the case of small and medium-sized companies, the company may need to provide appropriate resources and training to suppliers and other business relationships to enable them to understand relevant risks and meet the company’s human rights and environmental due diligence requirements.

The company also needs to review the incentives for suppliers and other business relationships to comply with the company’s policies and code of conduct. In some cases, the procurement procedures or commercial terms used, such as pricing and discount mechanisms, may reward parties that act in a way that creates a risk of human rights and the environment being disregarded along the value chain. Similarly, the company can create incentives in its business relationships to promote the respect for human rights and the environment, for example by linking better terms to improvements in the party’s performance on certain sustainability factors or goals.